Using client-principal objects, ABL allows you to set the same or a separate user identity for each of an application's ABL sessions and database connections, as well as allowing you to maintain a separate identity for an entire ABL application. In order to set session and database connection identity, ABL supports the following mechanisms for either user authentication or SSO operations, or both:

  • AVM startup — Optionally authenticates a user identity for each database connection by specifying the User ID (-U) and Password (-P) startup parameters on the command line or in a parameter file. The domain specified for each user ID must be authentication-enabled. For each successfully authenticated database connection, OpenEdge creates a sealed client-principal object to represent the connection identity that you can return to an ABL session using the GET-DB-CLIENT function.
    Note: This mechanism does not support domains configured with user-defined authentication systems that are authentication-enabled using ABL callbacks.
  • CONNECT statement — Authenticates user identities for new database connections exactly as for AVM startup, but from within the ABL application.
  • SETUSERID function - Attempts to set the user identity for a single existing database connection in a user authentication operation from a specified user ID and password. The user ID can only specify domains configured for the _oeusertable authentication system. If the user authentication is successful, OpenEdge creates an authenticated and sealed client-principal object to represent the connection identity that you can return to an ABL session using the GET-DB-CLIENT function.
    Note: If successful, setting a database connection identity with this function locks out any setting of this connection identity using the SET-CLIENT( ) method on the SECURITY-POLICY system handle. SET-CLIENT( ) can be unlocked to set this connection identity by invoking SET-DB-CLIENT with the Unknown value (?) passed in place of the client-principal handle.
    Note: With limited domain support, Progress Software recommends that existing applications replace calls to this function with calls to the SET-DB-CLIENT function.
  • SET-DB-CLIENT function - Attempts to set the user identity represented by a client-principal object for an existing database connection. It performs a user authentication operation if the client-principal is unsealed and the specified domain supports it, and seals the object if the authentication is successful. It performs an SSO operation if the client-principal object is sealed.
    Note: If successful, setting a database connection identity with this method locks out any setting of this connection identity using the SET-CLIENT( ) method on the SECURITY-POLICY system handle. SET-CLIENT( ) can be unlocked to set this connection identity by invoking SET-DB-CLIENT with the Unknown value (?) passed in place of the client-principal handle.
  • SET-CLIENT( ) method - This method on the SECURITY-POLICY system handle initially attempts to set the user identity represented by a client-principal object for the current ABL session. It performs a user authentication operation if the client-principal is unsealed and the specified domain supports it, and seals the object if the authentication is successful. It performs an SSO operation if the client-principal object is sealed. If it successfully sets the session identity, it then attempts to set the identity for every connected database by implicitly calling the SET-DB-CLIENT function in an SSO operation on each database connection.